Hackers stole Flipboard users’ email addresses and hashed passwords

Hackers stole Flipboard users' email addresses and hashed passwords

Flipboard has published a notice on its website about a “security incident” (a term companies prefer to use rather than simply saying they’ve been hacked).

The news aggregation site used by millions of people worldwide says that it recently discovered hackers had access to databases containing Flipboard users’ account details – including usernames, email addresses, hashed passwords, and account tokens for third-party social media accounts.

According to Flipboard, there were two periods of time during which hackers had access to the sensitive information – the almost ten months between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

Sign up to our free newsletter.
Security news, advice, and tips.

Users have received an email from Flipboard, telling them that their passwords have been reset. The next time users login they will asked to create a new password.

Flipboard email

Obviously it makes sense for users to also ensure that they are not using the compromised password anywhere else on the internet. As we discuss time and time again on this site, you should never reuse the same password in different places. If your puny human brain isn’t capable of remembering lots of unique, complex passwords then you’re in the same boat as me – use a good password manager instead.

Considering that email addresses may also now be in the hands of the hackers, users would be wise to look out for phishing emails which may purport to come from Flipboard.

From the sound of things, Flipboard switched from using the SHA-1 hashing algorithm for password storage to bcrypt, which is held in higher regard, in 2012:

If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.

Frankly it might have been a good idea for Flipboard to have forced users to reset their passwords back in 2012 when they introduced the stronger hashing algorithm, rather than allowed older weaker-protected passwords to persist for so many years.

Flipboard says it has notified law enforcement about the security breach.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.